Apache Releases Security Update for HTTP Server
by CIRT Team
DESCRIPTION:
The Apache Software Foundation has released Apache HTTP Server 2.4.52.
Reference:https://downloads.apache.org/httpd/Announcement2.4.html
CVE-2021-44790 (CVSS score: 9.8- CRITICAL) -A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts).
The Apache httpd team is not aware of an exploit for the vulnerability though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier.
CVE-2021-44224 (CVSS score: 8.2- HIGH) – A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or,
for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery).
This issue affects Apache HTTP Server 2.4.7 up to 2.4.51 (included).
IMPACT:
Apache HTTP Server 2.4.52 version addresses vulnerabilities CVE-2021-44790 and CVE-2021-44224 one of which may allow a remote attacker to take control of an affected system.
RECOMMENDATIONS:
Updates are available. Please see the references or vendor advisory for more information.
REFERENCES:
http://httpd.apache.org/security/vulnerabilities_24.html
https://downloads.apache.org/httpd/Announcement2.4.html
https://nvd.nist.gov/vuln/detail/CVE-2021-44790
https://nvd.nist.gov/vuln/detail/CVE-2021-44224
Published: 23 December 2021, 13:41:18 BST
Recommended Posts
Enhancing Situational Awareness on Emerging Cyber Threats
09 Sep 2023 - English articles, News, Security Advisories & Alerts, Uncategorized

UPDATE ON SITUATIONAL ALERT
08 Aug 2023 - Articles, News, Security Advisories & Alerts, Uncategorized